[CHA-3071] feat: decode gzip-compressed webhook bodies

[nijeesh-stream]

Summary

Adds SDK-side support for the gzip webhook compression that the Stream chat backend can now apply to outbound webhook payloads. Linear: CHA-3071.

The same helper covers HTTP webhooks and SQS / SNS firehose payloads, so customers get one entry point regardless of transport.

What's new

Three additions on App (all public static, no breaking changes):

1. verifyWebhookSignature(apiSecret, byte[], signature) — byte[] overload of the existing string version, with constant-time HMAC compare via MessageDigest.isEqual.
2. decompressWebhookBody(byte[] body, String contentEncoding [, String payloadEncoding]) — primitive that undoes the encoding wrappers Stream applies. gzip for compression, base64 for the SQS / SNS transport wrapper. Anything else throws IllegalStateException with a clear message.
3. verifyAndDecodeWebhook(byte[] body, String signature, String contentEncoding [, String payloadEncoding]) — convenience: decode + verify in one call. Throws SecurityException on signature mismatch. The HMAC is always validated over the innermost (uncompressed, base64-decoded) JSON, so the verification rule is invariant across HTTP and SQS / SNS.

The existing App.verifyWebhook(body, signature) and App.verifyWebhookSignature(apiSecret, body, signature) (string forms) are byte-for-byte unchanged for backward compatibility.

Cross-SDK contract

Same surface is shipping in every SDK so customers see a uniform API:

• Java: App.verifyAndDecodeWebhook(rawBody, signature, contentEncoding, payloadEncoding)
• PHP: $client->verifyAndDecodeWebhook($body, $signature, $contentEncoding, $payloadEncoding)
• Go: client.VerifyAndDecodeWebhook(body, signature, contentEncoding, payloadEncoding)
• Python / Ruby / .NET / JS: equivalent.

payloadEncoding is null for HTTP webhooks today; it's the slot the SQS / SNS firehose path uses to flag a base64 wrapper.

Tests

WebhookCompressionTest covers:

• gzip round-trip + case-insensitive Content-Encoding
• base64 + gzip round-trip (SQS / SNS shape)
• base64-only round-trip
• Every non-gzip Content-Encoding (br, brotli, zstd, deflate, compress, lz4) is rejected with a message pointing operators back to gzip
• Every non-base64 payload_encoding (hex, url, ascii85, binary) is rejected
• Invalid gzip / invalid base64 input → clear IllegalStateException
• byte[] overload of verifyWebhookSignature matches the string version
• Happy paths for verifyAndDecodeWebhook (plain, gzip, base64+gzip)
• Signature mismatch → SecurityException
• Signature computed over compressed bytes → rejected
• Signature computed over base64-wrapped bytes → rejected

Docs

Updates docs/webhooks/webhooks_overview/webhooks_overview.md with the public-facing copy from the Linear ticket, a Content-Encoding row in the headers table, and Java usage examples for both HTTP webhooks and SQS / SNS.

Notes for review

• gzip is the only compression algorithm we support today, despite the server's validation tag. Mirrored across every SDK.
• HMAC is always computed over the innermost JSON. The server PR (GetStream/chat#13222) signs before compressing and (when SQS/SNS lands) before base64-wrapping, so this rule is consistent across transports.
• No new dependencies — java.util.zip.GZIPInputStream and java.util.Base64 are JDK-builtin.

Verification

./gradlew :spotlessJavaApply :test --tests 'io.getstream.chat.java.WebhookCompressionTest'

All tests pass under amazoncorretto:11.